PIX VPN/XP CLient question.

I have a user who telecommutes from home over VPN. The problem is - when he's connected to the VPN - he can't browse web pages external to the office network - only internal web sites. It seems I have had success in the past in VPN Properties/Networking Tab/Internet Protocol (TCP/IP)/Properties button/Advanced Button/check "Use default gateway on remote network". But this hasn't been a consistent fix... Any ideas?

Which client does he use? PIX supports both Cisco VPN client and the Microsoft PPTP client.
Microsoft client works if you un-check the use default gateway on remote network box, but may break their ability

Which client does he use? PIX supports both Cisco VPN client and the Microsoft PPTP client.
Microsoft client works if you un-check the use default gateway on remote network box, but may break their ability to access internal resources.
Cisco client is totally controlled by the PIX. The network admin would have to enable "split-tunneling" which may or may not be against company policy.

Split-tunnelling can be a risk because it enables a PC to be connected to untrusted and trusted networks simultaneously. Untrusted = the internet.

Imagine a piece of malicious software that connected to an attackers site and waited for instructions while the VPN client was connected to the company network. The user PC could then provide the attacker the same level of access to the company network as the user.

This risk can be mitigated somewhat by ensuring that the users antivirus software is up to date prior to allowing a connection, and limiting what the user can install on their PC.

A more secure alternative that provides the user with access to the web while connected to the company network would be to use a proxy server that is on the company network. In other words, don't use split-tunnelling at all - web requests would be forwarded to the proxy which would request the web page on the users behalf.

Yes, split tunneling is a "HUGE" risk.
Problem with using Microsoft client is that the USER is in full control with one little tick of the box []Use default gateway on remote network. Un-tick it and split-tunneling is enabled.
Cisco VPN client is 100% controlled by the ADMIN
One of the best solutions is to setup a web proxy at HQ, force use of Cisco VPN client and force users to go through the proxy.
The reason that it is not consistent is because of the classful nature of PPTP. It all depends on the class of the IP address assigned to the client and to the remote lan.. I can explain that further if necessary, but it's a lesson in classful IP networks....

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140.
What and Why of FIPS 140
Federa…

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP).
Here is the basic setup of DMVPN Pha…

After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…